Over the course of the last three decades, cyberspace has been ‘woven into the fabric of daily life’1 and now permeates all aspects of modern society. Most recent figures indicate that by the end of June 2016, 48.7% of the world’s population were users of the Internet, an increase of 890.8% since 2000.2
Notwithstanding the enormous benefits and opportunities offered by cyberspace, cyberspace has also become a source of threats and vulnerabilities. The threat landscape in cyberspace is multifaceted and can range from hacking, cybercrime, cyber espionage to far more serious attacks on computer systems and networks that support critical national infrastructure and which can cause significant disruption, destruction or even lead to human loss.3 The agents of threats are also diverse involving not only states, but also non-state actors. Cyberspace offers a fertile environment for non-state actors to operate because of its borderless character, the anonymity it offers, the low entry barriers and the low operational costs. With non-state actors we mean entities that are not states, but are visible and active on the international stage. They include individuals as well as entities, such as groups, corporations, organisations and non-governmental organisations.4
States and individuals look to the power of international law to regulate cyberspace, deter and suppress unwanted or injurious cyber activities and hold those responsible to account. The institution of responsibility is at the heart of international law and is part of the constitution of the international community.5 This being said, cyberspace poses numerous challenges to international law’s central objective of ensuring responsibility.
An especially important challenge is represented by the fact that the regime of international responsibility limits the category of subjects that incur responsibility to states and to international organizations, whereas individuals can be held responsible in international law only if they commit conduct that amounts to an international crime. Yet, as was said, the unique features of cyberspace produce an ideal environment for various non-state actors to act and possibly cause damage or injury to states, individuals or other non-state actors that is usually below the threshold of international crimes.
If responsibility is the corollary of law, to deny or evade responsibility for wrongful acts threatens the existence of the international legal order itself. In this context, important questions arise, such as: what are the conditions under which acts by non-state actors in cyberspace can be attributed to states? What are the obligations of states with regard to non-state actors? Who is held responsible when non-state actors operate from ungoverned spaces? Regarding individual criminal responsibility, pertinent questions are: can non-state actors commit international crimes through cyberspace or through cyber means? Can commanders be held responsible for international cyber crimes committed by their underlings? Can the International Criminal Court (ICC) exercise jurisdiction over such international crimes?
To establish responsibility, evidence is critical. However the nature of cyberspace, and in particular the fact that it is a virtual domain, the anonymity and speed of activities in cyberspace, the possibility of ‘spoofing’ and the potential for multi-stage action, poses serious challenges to the collection, analysis, authentication and evaluation of evidence. This fact leads to further questions about the requisite standards of proof for criminal or state responsibility.
In view of the above, the objective of this Special Issue is to assess the effectiveness of international law in responding to these challenges and in ensuring responsibility when non-state actors engage in injurious transboundary cyber operations. In pursuit of this objective, this Special Issue is divided into three parts.
Part I addresses questions concerning the responsibility of states in relation to injurious cyber acts committed by non-state actors.
Tim Maurer’s article focuses upon the meaning of the term ‘proxies’ and, in particular, its meaning in the cyber setting. In doing so, he presents the diverse array of proxy relationships in cyberspace and identifies the different distinctions and levels of detachment between a state and a non-state actor by also comparing international law and international relations approaches to proxies.
Kubo Mačák’s contribution focuses upon Article 8 of the International Law Commission’s (ILC) Articles on State Responsibility 2001 and examines the circumstances under which an internationally wrongful act committed by a non-state actor, in or through cyberspace, can be legally attributed to a state. By revisiting the drafting history of the ILC’s Articles, Mačák argues that, contrary to the mainstream view, there are actually three autonomous standards of attribution built into Article 8, namely, instructions, direction and control. After examining the application of these standards to actual and hypothetical cyber operations, Mačák concludes that the Article 8 test for attribution imposes an overly high threshold, which will result in states avoiding responsibility where they encourage and support non-state actors to commit unlawful cyber operations.
Following on from Mačák’s conclusions, Russell Buchan’s article argues that the responsibility deficit that inevitably results from the strictness of the attribution formula, can be ameliorated by the customary international law obligation incumbent on states to prevent their cyber infrastructure from being used in a manner injurious to the international legal rights of other states. Buchan reveals that the obligation to prevent imposes a dual duty upon states: first, to possess, on a permanent basis, laws and institutions capable of preventing malicious cyber operations and, secondly, that states must exercise due diligence in using these laws and institutions in responding to known threats. Buchan then goes on to explore the content of these two duties in relation to malicious transboundary cyber operations emanating from a state’s cyber infrastructure.
Nicholas Tsagourias’ article examines the challenges that the cyber activities of non-state actors operating from ungoverned spaces pose to the institution of state responsibility. Tsagourias concludes that there is a responsibility deficit because none of the ingredients of the law of state responsibility applies in such situations. Because this may delegitimise international law, the author puts forward a framework, according to which, non-state actors that exercise effective control over territory and people can be held responsible for their injurious cyber activities and discusses the scope of their obligations, issues of attribution and how their responsibility can be implemented. The cyber activities of ISIS and of pro-ISIS cyber groups provide the background to the discussion.
David Fidler’s article examines the ability and effectiveness of international law in deterring and suppressing the use of cyberspace for terrorist purposes. His article is divided into two sections. The first section focuses upon cyber attacks committed by terrorists and identifies the plethora of international law regimes (including international agreements, Security Council Resolutions and customary rules) that states can potentially utilise to protect themselves from such activity and assesses their effectiveness. The second section of the article turns its attention to the role of international law in preventing the use of the Internet by terrorists for the purposes of recruitment, propaganda and incitement, an important issue given that ISIS has frequently exploited the Internet for such purposes. Fidler identifies the human rights concerns raised when states attempt to censor the use of the Internet and then considers how international law can strike the right balance between effective cyberspace counter terrorism policies on the one hand and the preservation of human rights on the other.
Part II of this Special Issue addresses questions concerning the commission of international crimes through cyberspace or through cyber means; who can be held responsible for such crimes; and whether the ICC can exercise jurisdiction.
Kai Ambos’ article examines the question of whether cyber aggression can satisfy the conditions contained in Article 8bis ICC Statute, which defines the crime of aggression. The author expresses his reservations in this regard, in particular, the fact that the crime of aggression needs to be committed by a state. Even if the requisite conditions are satisfied, the author claims that, because aggression is a leadership crime, the person who launched the cyber attack will most probably not be held responsible, but possibly his/her superiors.
Elies van Sliedregt’s article examines the question of whether commanders can be held criminally responsible under the doctrine of command responsibility if their subordinates commit cyber war crimes. The author discusses the elements of the doctrine of command responsibility by looking into international jurisprudence, including the recent Bemba case, and then considers how they apply to cyber war crimes by discussing three scenarios. The first concerns cyber units integrated into the army where command responsibility can be easily established. The second scenario involves outsourcing the commission of the cyber war crime. This raises questions concerning the relationship between the commander and the outsourced individuals and questions as to whether outsourcing increases the risk of crimes being committed as the ICC held in its Bemba judgment. The third scenario concerns individuals not linked to the commander’s unit, in which case command responsibility does not arise.
Michael Vagias’ contribution examines the question of whether the ICC can exercise jurisdiction over international crimes committed in and through cyberspace. The questions addressed by Vagias are: when and where is an international crime consummated in cyberspace and does this location fall within the territorial jurisdiction of the ICC? Concluding that neither the ICC’s main instruments, nor the preparatory materials to the Rome Statute shed any light on the issue of territorial jurisdiction, he examines how states have dealt with the issue of jurisdiction in cyberspace. His finding is that states have generally tended to adopt a broad interpretation to territorial jurisdiction by assuming criminal jurisdiction when an aspect of the crime is committed within its territory, or when its effects are felt within its territory. Vagias then assesses the advantages and disadvantages of adopting such a generous approach to the ICC’s territorial jurisdiction.
Part III focuses upon the effectiveness of the international law of evidence for pursuing investigations and obtaining and analysing evidence in the cyber context.
Marco Roscini’s article discusses the use of digital evidence as a means of proof before the International Court of Justice (ICJ). Roscini maintains that whilst the majority of existing ICJ rules and procedures do not specifically address the use of digital evidence, the Court’s general evidentiary rules are nevertheless applicable. The article focuses upon the production of documentary evidence before the ICJ, as well as of audio–visual evidence. Particularly given the prevalence of cyber espionage in the contemporary world order, Roscini usefully considers the use of illegally obtained digital evidence before the ICJ.
In his contribution, Dan Saxon considers evidentiary issues in a criminal law context. The article identifies the difficulties that prosecutors may face when investigating and prosecuting the misuse of cyber weapons by non-state actors. In particular, he notes the evidentiary challenges posed when non-state actors use cyberspace in a manner incompatible with international humanitarian law (IHL) and suggests that we need to formulate new approaches to the application of IHL for this legal framework to continue to achieve its overriding objective of ensuring accountability.
Jean d’Aspremont’s contribution is an exposition of the argumentative patterns adopted by international lawyers to place cyber operations within existing legal frameworks. He labels them ‘problem-finding’, ‘administrativist camouflage’, ‘consequentialist bending’ and ‘evidentiary pragmatism’. The latter involves the adoption of suitable criteria regarding the standard and burden of proof to maximise the efficacy of evidence and to justify international lawyers’ interventionist attitude. d’Aspremont contends that even such pragmatic standards are not sufficient to overcome evidentiary problems, due to the nature of cyberspace, but also due to the initial argumentative choices made by international lawyers. Different choices would yield different rules, but, for the author, this would turn international lawyers into norm-setters, which is an identity transforming enterprise.
Finally, Michael Schmitt and Sean Watts’s article contends that although international law has always been and remains a system designed primarily to regulate the interactions of sovereign states, international law nevertheless contains rules and is developing new rules that enable regulation of the conduct of non-state actors, even when this conduct is conducted in cyberspace. In doing so, their article provides a useful panorama of the various international legal rules that are implicated when malicious cyber operations are committed by non-state actors and assesses the effectiveness of these rules in achieving adequate accountability.
With the exception of the last paper, all the other papers contained in this Special Issue were presented at a conference organised at the University of Sheffield in September 2015. We would like to express our gratitude to the Sheffield Centre for International and European Law at the University of Sheffield for its generous financial support and we would also like to acknowledge Edward Elgar’s financial support. We would also like to thank the editors of the Journal of Conflict and Security Law for publishing this Special Issue. Above all, we would like to thank all the contributing authors for their commitment and stimulating ideas.
We believe that this Special Issue will stimulate further exchanges and discussions as to whether international law is effective in achieving responsibility for malicious non-state cyber conduct and, if not, how international law can be developed or adapted to ensure that any responsibility deficit is avoided or at least ameliorated.